The growing need for better user authentication, especially in consumer settings such as online banking, is drawing increased attention to technologies such as one-time passwords. In a one-time password system, a user typically carries a device or “token” that generates and displays a series of passwords over time. The user reads the currently displayed password and enters it into a personal computer, e.g., via a Web browser, as part of an authentication operation. Such a system offers a significant improvement over conventional password-based authentication since the password is dynamic and random. Previously misappropriated one-time passwords are of no help to an attacker in determining the current password, which remains hard to guess.
One particular example of a one-time password device of the type described above is the RSA SecurID® user authentication token, commercially available from RSA, The Security Division of EMC Corporation, of Bedford, Mass., U.S.A.
There are a number of challenges in realizing the potential of one-time password technology on a broad scale, however, most notably the complexity of providing one-time password devices to many users. Although such a device itself is not expensive, the logistics involved in distributing hardware to users can be substantial. In addition, unless the device is preprogrammed with a secret seed from which to generate one-time passwords, the seed must be provisioned in the field. This may require special device-specific protocols.
For these reasons, organizations have been considering alternative implementations of one-time password technology based on devices that the user already has, such as a mobile phone or a multimedia device. Such implementations avoid the logistics of separate authentication device distribution. However, enabling such devices to generate and display one-time passwords conveniently is not straightforward. The devices are designed for a different primary purpose, and it may be difficult to install and use new software for the secondary purpose of user authentication. The user interface is one such challenge: It may take a large number of “clicks” just to start the one-time password application.
These factors are obstacles to broader deployment of one-time password technology on a scale comparable, say, to the adoption of multimedia devices such as MP3 players.
Accordingly, a need exists for a device which is capable of providing one-time passwords to users while avoiding the above-noted deployment difficulties and other problems associated with conventional one-time password devices.